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SYSTEM AND METHOD FOR PREVENTING ILLEGAL USE OF SOFTWARE 
BACKGROUND OF THE INVENTION 

5 1 . Field of the Invention 

The present invention relates to a system and method for preventing illegal use 
of software, in particular, a system for preventing an illegal user from decrypting secret 
information stored in an IC card or the like, which is distributed to a general user. 

This application is based on Patent Application No. Hei 10-125619 filed in 
1 0 Japan, the contents of which are incorporated herein by reference. 

2. Description of the Related Art 

When An IC card for medical use stores software including secret information 
concerning patients, it is necessary to prevent a third party from decrypting such secret 
1 5 information and illegally using it. 

For example, there are two conventional systems used for preventing illegal use 

of software: 

Fig. 5 is a diagram showing the first conventional system for keeping the 
control program in the operating system (OS) for a microcomputer (i.e., a semiconductor 
20 integrated circuit) secret (refer to Japanese Patent Application, First Publication, No. Hei 
8-185361). 

In Fig. 5, microcomputer 1 includes a system memory (i.e., storage means) 2, a 
rewritable and nonvolatile memory, in which a control program such as the Kernel in the 
OS is stored. The system memory 2 stores (i) decrypting key FK used for decrypting 
25 data such as an encrypted control program based on a specific decrypting algorithm, and 
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(ii) decryptog-proc^s InfonnaUon FT which includes a program for executing fte 
de^ingalgori*mbyusing*edecryp.ing.eyFK. The decrypting key FK and 
decrypting-process infnnnaHon FT are s«,red in the systen, n,en,ory 2; thus, a user can 

rewrite this data as the user chooses. 

There are two types of the applicable cryptosystems, a synunetrical 
cryptosystem in which encrypting and decrypting ope«tions are perfomted using the 
same key, and an asynm>etrical cryptosystem in which encrypting and decrypting 
operations are perfonned using different keys. Either system can be used in the system 
of Fig. 5. I« the encrypting and decrypting operations, a reversible operation such as 
exchange or inversion in a speciHc bit sequence is controlled using a key. 

The microcomputer 1 also comprises input/output circuit 3 for inputting or 
OMtputting data via externa bus Bg, and RAM 4 for storing specific data input from the 
input/output circuit 3. The microcomputer 1 fi^er comprises CPU (central processing 
um.) 5 which controls all the operations of the microcomputer . . Decoding means FS 
5 in this system consists of CPU 5, decrypting key FK, and decrypting-process 

information FT. The system memory 2, input/output circuit 3, RAM 4, and CPU 5 are 
connected with each other via an internal bus 6. 

The conventional system (for preventing illegal use of software) having the 
above structure employs the following method for protecting secret information from an 
20 illegal user. 

In this system, a function of CPU 5 for protecting commands and data is used. 
The system memory 2 can be accessed only in the supervisor mode. Therefore, 
generally, secret information stored in the system memory 2 cannot be retrieved by a 
general user. 

25 m second conventional system for preventing illegal use employs a dedicated 



device or means for storing secret information, and has the function of physically 
destroying the dedicated device when an illegal user tries to physically analyze the 
system. 

However, the above first and second illegal-use preventing systems have the 

following problems. 

The problem caused by the first system is that secret information cannot be 
completely protected by the relevant software. The reason is that the secret- 
information protecting means in the first system only inhibits an access in a mode other 
than the supervisor mode; thus, if an illegal user tries to perform an analysis using a 
software debugger which is operated in the supervisor mode, the protection of secret 
information is ineffective. 

The problem caused by the second system is that if such a dedicated means is 
wholly constructed using software, secret information itself must be stored in a general 
file storage device. In this case, the secret information can also be stored in another file 
storage device as a backup copy. Therefore, if an illegal user stores backup data of 
secret information in another file storage device in advance, it is easy to restore the 
backup data even if secret information stored in the main file storage system is 
destroyed. 

SUMMARY OF THE INVENTION 
In consideration of the above circumstances, an objective of the present 
invention is to provide a system and method for preventing illegal use of software, 
which cannot be analyzed by using a software debugger which operates in any mode, 
and secret information stored in which cannot be retrieved even if backup data of the 
secret information is stored in another device. 
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Therefore, the present invention provides a system for preventing illegal use of 
software, comprising: 

secret information storage means for storing secret information; 
cryptosystem key storage means for storing a cryptosystem key used for 
5 decrypting the secret information stored in the secret information storage means; 

illegal access determining means for determining whether an illegal access to 
the system is performed; and 

cryptosystem key updating means for: 

providing the same key for a cryptosystem key used for reencrypting 
0 the secret information stored in the secret information storage means and a cryptosystem 
key which is stored as the updated cryptosystem key in the cryptosystem key storage 
means if the illegal access determining means detects no illegal access; 

providing different keys for the above two kinds of cryptosystem keys 
if the illegal access determining means detects an illegal access; and 
5 wherein the cryptosystem key updating means updates the above two kinds of 

cryptosystem keys for each access to the system. 

The present invention also provides a method and a storage medium storing a 
computer-executable program, which correspond to the above system. 

In the present invention, the illegal access determining means (for detecting an 
10 illegal operation) is provided. If an illegal user who accesses the system tries to 

decrypt the secret information stored in the secret information storage means, the secret 
information cannot be accurately decrypted, while a legal user who accesses the system 
can decrypt the encrypted secret information stored in the secret information storage 
means by performing a specific operation necessary for the decryption. That is, from 
5 the second access, the secret information caimot be decrypted, and it is possible to 
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prevent an illegal user from retrieving secret information used in a software by analyzing 
the system by using a software debugger or by falsifying the software. 

In addition, the secret information storage means and the cryptosystem key 
storage means may be separately constructed. In this case, backup data of the secret 
. information and the cryptosystem key can be stored, for example, in different file 
storage devices. As different cryptosystem keys are provided by the cryptosystem key 
updating means when an illegal operation is detected, even if an illegal user restores the 
secret information after the system becomes abnormal due to an illegal operation, 
normal operation using correct secret information becomes impossible. 
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BRIEF DESCRIPTION OF THE DRAWINGS 
Fig. 1 is a block diagram showing the system arrangement as an embodiment 
according to the present invention. 
S Fig. 2 is a flowchart showing the operations of the embodiment. 

1 5 Fig. 3 is a diagram explaining the operations executed when normal access is 

performed. 

Fig. 4 is a diagram explaining the operations executed when illegal access is 

attempted by an illegal user. 

Fig. 5 is a block diagram showing an example of the conventional system for 

20 preventing illegal use of software. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 
Hereinafter, an embodiment of the present invention will be explained with 
reference to the drawings. 
25 (1) Structure of the embodiment 



Fig. 1 is a block diagram showing the structure of the system for preventing 
illegal use of software in the present embodiment. 

As shown in Fig. 1, the system of the present embodiment comprises program- 
controlled data processor 100, and file storage devices 110 and 113. 

The data processor 100 includes illegal operation detecting unit 101 functioning 
as the illegal access determining means of the present invention, cryptosystem key 
readout unit 102, cryptosystem key updating unit 103, cryptosystem key storing xmit 104, 
decrypting unit 105, and encrypting unit 106. The operations of these units will be 
explained later. 

The file storage device 113 includes secret information storage unit 1 12 for 
storing encrypted secret information, and the file storage device 1 10 includes 
cryptosystem key storage unit 1 1 1 for storing a cryptosystem key necessary for 
decrypting the encrypted secret information stored in the secret information storage unit 
1 12. Here, the cryptosystem key storage unit 1 1 1 and the secret information storage 
imit 1 12 are respectively stored in different file storage devices so as to prevent an 
illegal user fi"om retrieving the cryptosystem key and the secret information in a single 
operation. That is, in the present system, two backup operations are necessary for 
storing backup data of the cryptosystem key and the secret information. 

The operations of the above units 101 to 106 will be explained below. 

The illegal operation detecting unit 101 detects whether an illegal user who 
wants secret information (for example, a secret key used in a secret-key cryptosystem or 
an encrypting algorithm itself) tries to read out the secret information (the practical 
method will be explained later). If it is detected that such an illegal try is performed, 
the illegal operation detecting unit 101 informs the cryptosystem key updating unit 103 
(explained below) of the detected result. 



The cryptosystem key readout unit 102 reads out crj^tosystem key a for 
decrypting secret information from the cryptosystem key storage unit 111. 

The cryptosystem key updating unit 103 updates the cryptosystem key in a 
specific operation depending on the situation (explained below), and sends the updated 
key to the cryptosystem key storing unit 104 and the encrypting unit 106. 

That is, if an illegal try for reading out the secret information has been detected 
by the illegal operation detecting unit 101, the cryptosystem key updating unit 103 sends 
completely different cryptosystem keys b and c to the cryptosystem key storing unit 104 
and the encrypting unit 1 06 (i.e., cryptosystem key b =^ cryptosystem key c). In the 
normal operation (when no illegal try for reading out the secret information is 
performed), the cryptosystem key updating unit 103 sends the same key as the 
cryptosystem keys b and c, to the cryptosystem key storing unit 104 and the encrypting 
unit 106 (i.e., cryptosystem key 6 = cryptosystem key c). 

The cryptosystem key storing imit 104 stores the new cryptosystem key b, 
updated by the cryptosystem key updating unit 103, into the cryptosystem key storage 
unit 111. 

The decrypting unit 1 05 reads out the encrypted secret information from the 
secret information storage imit 1 12, and decrypts the secret information using the 
cryptosystem key a read out by the cryptograph-key readout unit 102 so as to obtain the 
secret information necessary for performing specific operations of the system. 

The encrypting unit 106 reencrypts the secret information (decrypted by the 
decrypting unit 105) by using new cryptosystem key c updated by the cryptosystem key 
updating unit 103, and stores the reencrypted secret information into the secret 
information storage unit 112. 
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(2) Operation 

the operations of the present embodiment will be explained in detail with 
reference to the above Fig. 1 and the flowchart shown in Fig. 2. 

First, cryptosystem key readout unit 102 reads out cryptosystem key a from the 
cryptosystem key storage unit 1 1 1 (see step Al in Fig. 2). 

Next, illegal operation detecting unit 101 detects whether an illegal user who 
wants secret information tries to read out the secret information (see step A2). In this 
detection, for example, it is examined whether an illegal user falsifies the present system 
(for preventing illegal use of software) operating in the data processor 100. Such an 
examination is performed by, for example, detecting a falsifying operation using 
electronic signatures and secret-key encryption. Simultaneously, a program-analyzing 
operation using a software debugger is also detected. 

The cryptosystem key updating unit 103 updates the cryptosystem key for 
reencrypting the secret information (see step A3 or A4). 

That is, if no illegal operation is detected by the illegal operation detecting unit 
101 in step A2 (i.e., the detection result is "NO"), the cryptosystem key updating unit 
103 provides the same key for (i) cryptosystem key b stored by the cryptosystem key 
storing unit 104 into the cryptosystem key storage imit 1 1 1 and (ii) cryptosystem key c 
used by the encrypting unit 106 for reencrypting the secret information (i.e., 
cryptosystem key b = cryptosystem key c) (see step A3). 

On the other hand, if an illegal operation is detected in step A2 (i.e., the 
detection result is "YES"), the cryptosystem key updating xmit 103 provides completely 
different keys as cryptosystem keys b and c (i.e., cryptosystem key b =^ cryptosystem 



key c) (see step A4). 

In the cryptosystem-key updating operation performed by the unit 103, a one- 
direction function or a pseudo-random number is used for generating a new 
cryptosystem key so that cryptosystem keys a and c are not easily calculated or 
determined with reference to cryptosystem key b. 

The decrypting unit 105 reads out the encrypted secret information from the 
secret information storage unit 1 12, and decrypts the information using the cryptosystem 
key a read out by the cryptosystem key readout unit 102 so that non-encrypted original 
secret information is retrieved (see step A5). Therefore, an operation using the secret 
information, such as a transaction-authenticating operation using the secret-key 
encryption, is performed (see step A6). 

The encrypting unit 106 reencrypts the secret information, which was decrypted 
by the decrypting imit 105, by using the cryptosystem key c updated by the cryptosystem 
key updating unit 103 (see step A7), and stores the reencrypted secret information into 
the secret information storage vmit 1 12 (see step A8). 

The cryptosystem key storing unit 104 stores the cryptosystem key b updated 
by the cryptosystem key updating imit 103 into the cryptosystem key storage unit 1 1 1 
(see step A9). 

(3) Example 

Below, an example according to the present embodiment will be explained with 
reference to Figs. 3 and 4. 

(3-1) When no illegal try is performed: 

Fig. 3 is a diagram explaining the operations executed when no illegal try is 
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performed by an illegal user. 

As shown in Fig. 3, initial cryptosystem key al (whose code (value) is 
"01010101") may be stored in the cryptosystem key storage unit 111, and secret 
information encrypted using the cryptosystem key al is stored in the secret information 
storage unit 1 12. Here, the code length of the cryptosystem key is 8 bits for ease of 
explanation. However, actually, a key consisting of a much longer code (generally, a 
few ten to a few thousand of bits) is used according to the strength of the encryption 
algorithm. 

In step Al in the first execution, the cryptosystem key readout unit 102 reads 
out cryptosystem key al from the cryptosystem key storage unit 111. Here, no illegal 
try is detected in step A2; thus, new cryptosystem keys bl and cl (which were updated 
in step A3) are the same (i.e., "101 1 1000"), as described above (i.e., cryptosystem key 
bl = cryptosystem key cl). The decrypting unit 105 decrypts the secret information 
using the first cryptosystem key al (see step A5). The encrypting unit 106 reencrypts 
the decrypted secret information by using updated cryptosystem key ci ("101 1 1000") 
(see step A7). In addition, the cryptosystem key storing unit 104 stores the updated 
cryptosystem key &i ("101 1 1000") into the cryptosystem key storage unit 1 1 1 (see step 
A9). 

In step Al in the second execution, the cryptosystem key readout unit 102 reads 
out cryptosystem key bl (= cryptosystem key a2\ "101 1 1000") which was stored into the 
cryptosystem key storage unit 1 1 1 in the step S9. The decrypting unit 1 05 decrypts the 
encrypted secret information (stored in the secret information storage unit 1 12) by using 
this cryptosystem key a2 (see step A5). The secret information to be decrypted was 
encrypted in the first execution by using cryptosystem key cl (= cryptosystem key bl \ 
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"1011 1000"). As the cryptosystem keys a2 and cl have the same code value 
("1011 1000"), the decryptmg operation is accurately performed so that correct secret 
information can be obtained. 

Similar operations are performed from the third execution and the cryptosystem 
key for encrypting the secret information is updated for each execution, and correct 
secret information can be obtained in each execution. 

(3-2) When an illegal try is performed: 

Fig. 4 is a diagram explaining the operations executed when an illegal try is 
performed by an illegal user. 

As shown in Fig. 4, initial cryptosystem key al (whose code (value) is 
"01010101") may be stored in the cryptosystem key storage unit 111, and secret 
information encrypted using the cryptosystem key al is stored in the secret information 
storage unit 112. 

In step A 1 in the first execution, the cryptosystem key readout unit 102 reads 
out cryptosystem key al. Here, an illegal try is detected in step A2; thus, new 
cryptosystem keys bl and cl (which were updated in step A3) have different code values 
(i.e., "10111000" and"11100101")(i.e.,cryptosystemkeyW ^ cryptosystem key c7). 

The decrypting unit 105 decrypts the secret information using the first 
cryptosystem key al (see step A5). The encrypting unit 106 reencrypts the decrypted 
secret information by using the updated cryptosystem key cl ("1 1 100101 '*) (see step A7). 
In addition, the cryptosystem key storing unit 104 stores the updated cryptosystem key 
67 ("101 1 1000") into the cryptosystem key storage unit 1 1 1 (see step A9). 

In step A 1 in the second execution, the cryptosystem key readout unit 102 reads 
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out cryptosystem key a2 ("101 1 1000"). The decrj^jting unit 105 decrypts the secret 
information, stored in the cryptosystem key storage unit 1 1 1 , by using this cryptosystem 
key a2 (see step A5). The secret information to be decrypted was encrypted in the first 
execution by using the cryptosystem key c7 (" 1 1 1 00 1 0 1 Here, cryptosystem keys a2 
and cl have different code values ("101 1 1000" and "1 1 100101"); thus, decryption 
cannot be accurately performed and the obtained secret information is not correct. 

In order for an illegal user to obtain correct secret information after this phase, 
the illegal user must know the code value " 1 1 1 00 1 0 1 " of the cryptosystem key cl . As 
this value is not stored in the file storage unit 1 10, it is necessary to try any possible 
value for the cryptosystem key. The above illegal-use preventing method can have an 
effect or strength sufficient for practical use though it depends on the encrypting 
algorithm and the code length of the key. 

Before the first execution, the secret infonnation which was encrypted by the 
cryptosystem key a7 ("01010101") stored in the cryptosystem key storage unit 1 1 1 may 
be stored in another file storage device as backup data in advance. However, in the 
above situation in which the obtained secret information is not correct, even though the 
encrypted secret information can be restored, it is difficult to retrieve the correct secret 
information because the code value of the cryptosystem key al is lost in this phase. 

If the code value of cryptosystem key al stored in the cryptosystem key storage 
unit 1 1 1 is also stored in another file storage device before the first execution, the 
retrieval of the secret information is not impossible. However, such a detailed system 
structure can be known by an illegal user only via an illegal analysis using a software 
debugger (that is, via an illegal try detected by the illegal-operation detecting unit 101). 

From the third execution (of the steps in the flowchart of Fig. 2), similar 
operations are performed and the correct secret information cannot be obtained. When 
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such execution is repeated, encrypting and decrypting operations are performed using a 
different cryptosystem key for each execution; thus, retrieval of the secret information 
becomes very difficult. 

The present invention is suitably applicable to IC cards which are distributed to 
many persons in general. In another application, the present invention can be used 
when distributing software or microcomputers (such as semiconductor integrated 
circuits) using secret information (a secret key for authentication) which relate to 
electronic transactions and thus should be secret to third parties. 



